b"   Office of Inspector General\n       Audit Report\n\n\n\nQUALITY CONTROL REVIEW OF THE AUDIT\nOF THE EFFECTIVENESS OF DOT\xe2\x80\x99S EARNED\n    VALUE MANAGEMENT PRACTICES\n         Department of Transportation\n\n          Report Number: QC-2014-065\n           Date Issued: July 17, 2014\n\x0c           U.S. Department of\n                                                                     Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Quality Control Review of the Audit                                         Date:    July 17, 2014\n           of the Effectiveness of DOT\xe2\x80\x99s Earned Value\n           Management Practices\n           Report Number: QC-2014-065\n\n  From:    Louis King                                                                       Reply to\n                                                                                            Attn. of:   JA-20\n           Assistant Inspector General for Financial and\n             Information Technology Audits\n\n    To:    Chief Information Officer, DOT\n\n           This report presents the results of our quality control review (QCR) of an audit of\n           the Department of Transportation\xe2\x80\x99s (DOT) earned value management (EVM)\n           practices. EVM is a tool used to plan, execute, and control the costs and schedules\n           of information technology (IT) projects. It provides insight on program\n           performance by comparing the value of work accomplished to the planned value\n           of scheduled work. The Office of Management and Budget requires agencies to\n           use EVM to calculate cost and schedule variances from the approved baselines for\n           major IT investments. 1 For fiscal year 2013, DOT requested $2.2 billion for\n           44 major IT investments and approximately $15 million for IT security.\n\n           KPMG LLP conducted this audit under contract to DOT\xe2\x80\x99s Office of Inspector\n           General (OIG). The audit objectives were to determine whether DOT: (1) has\n           implemented effective EVM policies, procedures and practices; and (2) uses\n           accurate EVM data to plan, monitor, and report the status of its IT investments and\n           related security spending. KPMG found deficiencies in DOT\xe2\x80\x99s EVM procedures\n           and practices and issued 14 recommendations to help the Department establish and\n           maintain an effective program (see Exhibit A for a list of these recommendations).\n           DOT\xe2\x80\x99s Chief Information Officer concurred with all recommendations. His\n           response is included on page 26 of KPMG\xe2\x80\x99s audit report, dated June 30, 2014,\n           which can be found in its entirety in the attachment to this report. In accordance\n           with DOT Order 8000.1C, the corrective actions taken in response to the findings\n           are subject to follow-up.\n\n\n           1\n               Major IT investments require special management attention because of their size or importance to agencies\xe2\x80\x99 missions..\n\x0c                                                                                2\n\n\nOur QCR, as differentiated from an audit engagement performed in accordance\nwith generally accepted Government auditing standards, was not intended for us to\nexpress, and we do not express, an opinion on DOT\xe2\x80\x99s EVM management\npractices. KPMG is responsible for its independent auditor\xe2\x80\x99s report and the\nconclusions expressed in that report. Our QCR disclosed no instances in which\nKPMG did not comply, in all material respects, with generally accepted\nGovernment auditing standards.\n\nWe appreciate the courtesies and cooperation of DOT and its operating\nadministrations\xe2\x80\x99 representatives during this engagement. If you have any questions\nconcerning this report, please call me at (202) 366-1407, or Nathan Custer,\nProgram Director, at (202) 366-5540.\n\n                                        #\n\ncc:   Deputy Secretary\n      CIO Council Members\n      DOT Audit Liaison, M-1\n\x0c                                                                             3\n\nEXHIBIT A. RECOMMENDATIONS OF KPMG LLP, INDEPENDENT\nAUDITOR\n\nKPMG LLP made the following recommendations during its review of DOT\xe2\x80\x99s\ninformation management practices for EVM. OIG agrees that DOT management\nshould implement the following controls.\n\n                        DOT Chief Information Officer\n        Update the DOT EVMIG to establish operational requirements and\n   1    document a defined or recommended set of documents to be retained in\n        the event of a formal project baseline change.\n        Update policies and procedures for the validation of contractor cost\n   2    estimates, and incorporate them into the DOT EVMIG and applicable\n        DOT IBR guidance for Contracting Officers.\n        Develop policies and procedures for the retention of COTR and\n   3    Procurement documented conclusions on the validity of provided\n        contractor cost estimates.\n        Develop procedures to standardize program and project EVM data for all\n   4\n        OAs.\n        Provide a platform or mechanism for ensuring appropriate personnel\n        managing programs that require EVM reporting must obtain OCIO\n   5    and/or Office of the Senior Procurement Executive (OSPE) sponsored\n        training prior to awarding contract.\n        Work with appropriate DOT personnel to ensure training qualifications\n   6    are maintained in a designated repository.\n                        FAA Chief Information Officer\n        Further develop the FAA EVMS Training Module to promote\n   7    consistency of reporting and awareness of EVMS requirements,\n        specifically program and contractor IBR requirements.\n        Require that the program teams attend corresponding trainings and EVM\n   8    Focal Point staff will be responsible for the development and\n        implementation of training.\n        Develop a method for holding the program manager responsible for\n   9\n        ensuring the timely execution of the IBR.\n        Retain evidence of requests for IBR deferrals past the required 180 day\n  10    threshold. Require this evidence to be presented during the IBR Status\n        Reports conducted with JRC.\n\n\n\nExhibit A. Recommendations of KPMG LLP, Independent Auditor\n\x0c                                                                               4\n\n        Develop policies and procedures documenting time requirements for\n  11    certification of Contractor EVMS, as well as follow-up requirements to\n        occur in the event contractor EVMS is unable to achieve certification.\n  12    Certify the Crown EVMS for NEXCOM.\n        Perform analysis of investments under development and associated\n        contractor EVMS to identify non-certified systems currently being used\n  13\n        to report EVM data and perform analysis to determine impact of\n        utilization of non-certified EVMS.\n        Incorporate the timely and consistent tracking of EVMS certification into\n  14\n        year-end performance metrics for EVM Focal Point staff.\n\n\n\n\nExhibit A. Recommendations of KPMG LLP, Independent Auditor\n\x0c                                                          5\n\n\n\n\nAttachment\nSee the next page for the Independent Auditor\xe2\x80\x99s Report.\n\x0cDepartment of Transportation\nEarned Value Management and Security Cost\nReporting Performance Audit\n\n\n\nPrepared for: DOT Office of Inspector General\nJune 30, 2014\n\n\n\n\nKPMG LLP\n1676 International Drive, Suite 1200\nMcLean, VA 22102\n\x0c                              Department of the Transportation\n            Earned Value Management and Security Cost Reporting Performance Audit\n\n                                                               Table of Contents\n\nEVM and Security Cost Reporting Performance Audit Report\nI. BACKGROUND ....................................................................................................................................... 3\nII. OBJECTIVE, SCOPE, AND METHODOLOGY.................................................................................... 4\nIII. RESULTS ............................................................................................................................................... 8\nIV. FINDINGS AND RECOMMENDATIONS......................................................................................... 21\n   1. Insufficient program baseline change requirements across the DOT. ............................................. 21\n   2. Standards for contractor cost validation not identified across the DOT. ........................................ 21\n   3. Inconsistent EVM data tracking and reporting methods across the DOT. ...................................... 22\n   4. No formalized EVMS training program established across the DOT. ............................................ 22\n   5. Inconsistent Integrated Baseline Review (IBR) performance and tracking at Federal\n       Aviation Administration (FAA). ..................................................................................................... 23\n   6. Insufficient contractor EVMS certification and surveillance at FAA ............................................. 24\nV. MANAGEMENT RESPONSE TO THE REPORT............................................................................... 26\n\nAppendices\nAPPENDIX I \xe2\x80\x93 STATUS OF PRIOR-YEAR FINDINGS ......................................................................... 31\nAPPENDIX II \xe2\x80\x93 GLOSSARY OF TERMS ................................................................................................ 34\n\x0c                               KPMG LLP\n                               1676 International Drive\n                               McLean, VA 22102\n\n\n\n\nMr. Louis C. King\nAssistant Inspector General For Financial and Information Technology Audits\n1200 New Jersey Avenue, SE\nWashington, DC 20590\n\n\nRe: The Department of the Transportation Earned Value Management and Security Cost\n    Reporting 2014 Performance Audit\n\nDear Mr. King:\n\nKPMG LLP (KPMG) was contracted by the Department of Transportation (DOT) Office of Inspector\nGeneral (OIG) to conduct a performance audit of the Department\xe2\x80\x99s adoption and use of Earned Value\nManagement Systems (EVMS) across the Departmental Operating Administrations (OAs), and\nspecifically for certain major Information Technology (IT) investments. This report presents the results\nof our work conducted to address the performance audit objectives relative to the DOT. Our work was\nperformed during the period of November 4, 2013 through March 10, 2014, and our results are as of\nMarch 10, 2014.\n\nWe conducted this performance audit in accordance with generally accepted government auditing\nstandards (GAGAS). Those standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for our findings and\nrecommendations based on our audit objectives.\n\nOur audit objectives were to review the DOT EVMS organizational capability to assess how mature\nDOT is in implementing EVMS and how mature the department is in EVMS as it relates to the\nguidelines referenced in legislation, policy and standards pertaining to EVM. We assessed the\nDepartment\xe2\x80\x99s: (1) implementation of earned value management (EVM) policies, procedures and\npractices for its IT investments; and (2) use of EVM data to plan, monitor, and report the status of its\nIT investments and related security spending.\n\nThe DOT has established an EVMS policy that contains pre-established dollar thresholds and guidance\nfor IT investment owners to consider when implementing EVMS. In addition, various OAs have\nimproved their use of EVMS by establishing supporting materials, such as IT project management and\nEVMS implementation guidance, providing EVMS training and conducting EVMS lessons learned\ndiscussions. While these items help provide a foundation of EVMS guidance for OAs to follow and\ninvestments to use, there are opportunities for improvement to further implement and use EVMS to\nhelp manage major IT investments (MITI).\n\nOverall, based on the interviews conducted, documents inspected, and test procedures performed\nwithin the audit program guide, we determined that the DOT has inconsistently applied controls across\nthe ten (10) OAs and six (6) MITIs. As a result, the EVMS-related processes used to collect and report\n\n\n                               KPMG LLP is a Delaware limited liability partnership,\n                               the U.S. member firm of KPMG International Cooperative\n                               (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cEVMS data cannot be relied on to properly reflect project performance in Exhibit 300 submissions. In\naddition, we found that project management practices related to EVMS are not consistently applied\nacross the OAs and MITIs. Finally, the security cost estimates that are derived for Exhibit 300\nsubmissions cannot be fully supported. Timely implementation of the recommendations is needed to\nfulfill departmental requirements and achieve maturity in managing IT investments.\n\nThe detailed objectives of this performance audit are enumerated within Section II of the report. We\nhave identified six (6) Findings, which are enumerated within Section IV.\n\n    1. Insufficient program baseline change requirements across the DOT.\n    2. Standards for contractor cost validation were not identified across the DOT.\n    3. Inconsistent EVM data tracking and reporting methods across the DOT.\n    4. No formalized EVMS training program established across the DOT.\n    5. Inconsistent Integrated Baseline Review (IBR) performance and tracking at Federal Aviation\n       Administration (FAA).\n    6. Insufficient contractor EVMS certification and surveillance at FAA\n\nWe currently report, for the DOT\xe2\x80\x99s consideration, fourteen (14) recommendations from this\nperformance audit\n\nThis performance audit did not constitute an audit of financial statements in accordance with\nGovernment Auditing Standards. KPMG was not engaged to, and did not render an opinion on the\nDOT\xe2\x80\x99s internal controls over financial reporting or over financial management systems (for purposes\nof Office of Management and Budget Circular Number A-127, Financial Management Systems, July\n23, 1993, as revised). KPMG cautions that projecting the results of our evaluation to future periods is\nsubject to the risks that controls may become inadequate because of changes in conditions or because\ncompliance with controls may deteriorate.\n\nAppendix I, Status of Prior-Year Findings, summarizes the DOT\xe2\x80\x99s progress in addressing prior-year\nrecommendations from the OIG report QC-2009-048 dated April 24, 2009, Quality Control Review of\nthe Department\xe2\x80\x99s Implementation of Earned Value Management and Security Cost Reporting.\nAppendix II contains a glossary of terms used in this report.\n\nSincerely,\n\n\n\n\n                                                                                                 Page 2\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\nI. BACKGROUND\n\nThe Department of Transportation (DOT) mission is to serve the United States by ensuring a fast, safe,\nefficient, accessible and convenient transportation system that meets our vital national interests and\nenhances the quality of life of the American people, today and into the future. 1 According to the FY13\nspending IT dashboard, DOT invested approximately $3.1 billion in information technology (IT) 2. In\norder to derive the intended benefits of the programs and projects within the IT portfolio, project planning\nand execution processes should be in place to control the establishment of baseline performance measures\nand manage deviations from expected performance plans. Earned Value Management (EVM) data is a\ncritical component of the control phase of the IT capital planning process, because it provides investment\nmanagers with the cost, schedule, and performance data necessary to help ensure that DOT investments\nare delivered on time and perform within budget and scope. The addition of the variance and trend\nanalysis aspect of EVM permits an evaluation that monitors deviation from the baseline plan, which may\nindicate potential threats or opportunities. Proper application of EVM also increases the level of\nconfidence of management that the investment is being managed in accordance with sound project\nmanagement practices.\n\nThe Office of the Secretary of Transportation (OST) is responsible for establishing the requisite policies\nand procedures to govern the DOT OAs within the department for managing investments within the IT\nportfolio, including policies and procedures related to IT capital planning and investment control (CPIC),\nenterprise architecture (EA), program management, and project management. Policies and procedures\nshould reflect Office of Management and Budget (OMB) guidance, including provisions for using EVM\nand estimating IT security costs for investments. In addition, the Operating Administrations (OAs) within\nDOT are responsible for implementing the policies and procedures promulgated by OST in a manner\nconsistent with underlying EVM and IT security cost reporting objectives.\n\nThe following criteria are a listing of the key legislation, policies, and standards pertaining to Earned\nValue Management System (EVMS) and IT investment and project management:\n\nLegislation\n   \xe2\x80\xa2 Government Performance and Results Act of 1993 \xe2\x80\x93 mandates the use of performance metrics.\n   \xe2\x80\xa2 Federal Acquisition Streamlining Act of 1994 \xe2\x80\x93 requires agency heads to achieve, on average,\n        90% of the cost and schedule goals established for major and non\xe2\x80\x90major acquisition programs of\n        the agency without reducing the performance or capabilities of the items being acquired.\n   \xe2\x80\xa2 Clinger Cohen Act of 1996 \xe2\x80\x93 requires establishment of the processes for executive agencies to\n        analyze, track, and evaluate the risks and results of major investments in IT and requires reporting\n        on the net program performance benefits achieved by agencies.\n\nPolicies\n    \xe2\x80\xa2 OMB Circular Number (No.) A\xe2\x80\x9011 (Part 7, Planning, Budgeting, Acquisition and Management of\n         Capital Assets) \xe2\x80\x93 outlines a systematic process for program management, which includes\n         integration of program scope, schedule, and cost objective; requires use of earned value\n         techniques for performance measurement during execution of the program; specifically identifies\n         American National Standards Institute (ANSI)/Electronic Industries Alliance (EIA) Standard 748.\n    \xe2\x80\xa2 OMB Memorandum M\xe2\x80\x9004\xe2\x80\x9024, \xe2\x80\x9cExpanding Electronic Government (E\xe2\x80\x90Gov) President\xe2\x80\x99s\n         Management Agenda (PMA) Scorecard Cost, Schedule and Performance Standards for Success\xe2\x80\x9d\n1\n    http://www.dot.gov/mission/about-us\n2\n    https://myit-2014.itdashboard.gov/portfolios\n\n\n\n\n                                                                                                      Page 3\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\n           \xe2\x80\x93 provides additional information on the PMA Expanded Electronic Government initiative and\n           the standard for success concerning cost, schedule and performance goals.\n      \xe2\x80\xa2    OMB Memorandum M\xe2\x80\x9005\xe2\x80\x9023, \xe2\x80\x9cImproving Information Technology (IT) Project Planning and\n           Execution\xe2\x80\x9d \xe2\x80\x93 provides guidance to assist agencies in monitoring and improving project planning\n           and execution and fully implementing EVMS for major IT projects.\n\nStandards\n   \xe2\x80\xa2 ANSI/EIA Standard 748, Earned Value Management System (EVMS) \xe2\x80\x93 industry process for use of\n       EVMS including integration of program scope, schedule and cost objectives, establishment of a\n       baseline plan for accomplishment of program objectives, and use of earned value techniques for\n       performance measurement during the execution of a program.\n   \xe2\x80\xa2 National Defense Industrial Association (NDIA) Program Management Systems Committee Intent\n       Guide for Earned Value Management Systems \xe2\x80\x93 provides additional insight into the EVMS\n       guidelines included in Section 2 of the ANSI/EIA Standard 748-A Standard for EVMS.\n\nII. OBJECTIVE, SCOPE, AND METHODOLOGY\n\nKPMG LLP (KPMG) was contracted by the DOT OIG to conduct a performance audit of the\nDepartment\xe2\x80\x99s adoption and use of EVMS across the departmental OAs, and specifically for certain major\nIT investments (MITIs) 3.\n\nObjectives\n\nWe were tasked with reviewing the DOT EVMS organizational capability to assess how mature DOT is\nin implementing EVMS and how mature the department is in EVMS as it relates to the guidelines\nreferenced in legislation, policy and standards pertaining to EVM.\n\nWe assisted the DOT OIG in evaluating the maturity of EVM policies, practices, and data for the period\nbetween November 4, 2013 through March 10, 2014 to evaluate the Department\xe2\x80\x99s: (1) implementation of\nEVM policies, procedures and practices for its IT investments; and (2) use of EVM data to plan, monitor,\nand report the status of its IT investments and related security spending.\n\nIn addition, we were tasked with reviewing the DOT implementation and execution of three\nrecommendations made in the OIG report QC-2009-048, Quality Control Review of the Department\xe2\x80\x99s\nImplementation of Earned Value Management and Security Cost Reporting. The recommendations were:\n\n      1. Establish a target date to complete and distribute the DOT EVM implementation guidance to\n         OAs. This guidance should document processes and practices consistent with guidelines\n         published by OMB.\n      2. Require OAs to review all MITIs in the development phase for compliance with key OMB\n         requirements for EVM implementation and report results to the Office of the Chief Information\n         Officer (OCIO). Ensure that OAs establish a target date for correcting deficiencies found;\n      3. Establish security cost estimation standards consistent with the National Institute of Standards\n         and Technology (NIST), require OAs to follow the standards, and verify compliance with the\n         standards by performing a sample review of OA security cost estimate submissions.\n\n\n\n3\n    A \xe2\x80\x9cmajor\xe2\x80\x9d IT investment refers to an IT Investment requiring an OMB Exhibit 300 Business Case.\n\n\n\n\n                                                                                                     Page 4\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\n\nScope\n\nThe performance audit procedures were limited to evaluating the implementation of EVM and security\ncost estimating and reporting practices over ten (10) OAs and six (6) MITIs 4, which have been\nsummarized in Tables 1 and 2 below:\n\n                     Table 1: Scope of EVM and Security Cost Reporting Analysis by OA\n                                OA Selected                                EVM                                 Security\n                                                                           (Y/N)                                 Cost\n                                                                                                              Reporting\n                                                                                                                (Y/N)\n    Federal Aviation Administration (FAA)                                                     Y                   Y\n    Federal Transit Administration (FTA)                                                      Y                   Y\n    National Highway Traffic Safety Administration (NHTSA)                                    Y                   Y\n    Pipeline and Hazardous Materials Safety Administration (PHMSA)                            Y                   Y\n    Research and Innovative Technology Administration (RITA)                                  Y                   Y\n    Office of the Secretary of Transportation (OST)                                           Y                   Y\n    Federal Highway Administration (FHWA)                                                     Y                   Y\n    Federal Motor Carrier Safety Administration (FMCSA)                                       Y                   Y\n    Federal Railroad Administration (FRA)                                                     Y                   Y\n    Maritime Administration (MARAD)                                                           Y                   Y\n    Surface Transportation Board (STB)                                                        N5                  N5\n    Saint Lawrence Seaway Development Corporation (SLSDC)                                     N5                  N5\n\n                   Table 2: Scope of EVM and Security Cost Reporting Analysis for MITIs\n                              MITI Selected                                EVM                                 Security\n                                                                           (Y/N)                                 Cost\n                                                                                                              Reporting\n                                                                                                                (Y/N)\n    FAA: Next Generation Air/Ground Communications (NEXCOM)\n                                                                                               Y                   Y\n    Segment 1a\n    FAA: Automatic Dependent Surveillance-Broadcast (ADS-B)                                    Y                   Y\n    FAA: Regulation and Certification Infrastructure for System Safety\n                                                                                               Y                   Y\n    (RCISS)\n    FTA: National Transit Database (NTD)                                                       Y                   Y\n    NHTSA: Crash Data Acquisition Network (CDAN)                                               Y                   Y\n    OST: DOT Consolidated Operating Environment (COE)                                          Y                   Y\n\nWe designed the procedures to gain an understanding of how each OA and in-scope IT investment has\ninstituted practices related to EVM and security cost reporting, divided into the following sections:\n\n\n\n5\n In the FY 2009 DOT EVMS performance audit it was determined the OA did not have any MITIs nor had they implemented\nany EVMS over their IT portfolio. At the time, the OIG had determined to exclude these OAs from the scope of this performance\naudit. In Fiscal Year (FY) 2013, it was reconfirmed that the OA still did not have any MITIs and was not required to implement\nan EVMS over their IT portfolio.\n\n\n\n\n                                                                                                                        Page 5\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\n       \xe2\x80\xa2   EVM Governance: Includes the policies and supporting guidance (i.e., project and program\n           management) available to implement and use EVM.\n       \xe2\x80\xa2   EVM Tools & Technology: Includes the EVM tools and related technologies used for IT\n           projects (i.e., EVM-related tools, EVM engines, cost accounting tools, scheduling and resource\n           management tools and technology integration).\n       \xe2\x80\xa2   EVM Implementation & Performance: Includes EVM supporting standards and practices (e.g.,\n           work breakdown structure and use, contract and scope management, resource planning and\n           management, and EVM analysis techniques), EVMS certification, EVMS surveillance, EVM\n           training, and EVM lessons learned.\n       \xe2\x80\xa2   Security Cost Governance: Includes the policies and procedures in place for security cost\n           analysis and estimation.\n       \xe2\x80\xa2   Security Cost Estimating, Analysis and Reporting: Includes the practices used in analyzing,\n           estimating, and reporting security costs.\n\nWe did not validate the security costs from the OMB Federal IT Dashboard 6 provided by DOT.\n\nKPMG conducted fieldwork during the period of November 04, 2013 \xe2\x80\x93 March 10, 2014 at the DOT\nHeadquarters and FAA offices. Documented work and conclusions are based on information as of March\n10, 2014.\n\nMethodology\n\nKPMG performed this performance audit in accordance with the Government Auditing Standards issued\nby the Government Accountability Office (GAO). In particular, we designed our procedures to conform\nto a performance audit defined by the Government Auditing Standards. The engagement was performed\nin three phases: (1) Planning, (2) Testing and Interviews, and (3) Report Writing.\n\nPlanning \xe2\x80\x93 The planning phase was designed to help ensure that team members developed a collective\nunderstanding of the EVM and security cost reporting practices in place for the ten (10) OAs and the six\n(6) MITIs. We provided separate questionnaires to each OA and to each investment program team.\n\nQuestionnaires and provided by client (PBC) lists were provided to OA and MITI Program Management\nduring this phase of the engagement. Questionnaires and PBC lists were designed to provide a\nfoundational understanding with which to conduct interviews, for identifying additional documentation\nrequests, and identifying areas where additional focus was required in our testing.\n\nTesting and Interviews \xe2\x80\x93 During the testing and interviewing phase, we conducted interviews with\nprogram managers and senior management responsible for EVM, collected and inspected PBC artifacts,\nparticipated in process walk-throughs and interviews with program staff, and performed test procedures.\nTest procedures included pulling cost data from the OMB Federal IT Dashboard for the OAs. Testing\nprocedures were conducted primarily at DOT headquarters and FAA facilities in Washington, D.C.\nTesting procedures over the EVM and security cost reporting practices were based on the Federal\nlegislation, policies, and industry standards.\n\nKPMG\xe2\x80\x99s testing procedures required us to select a sample of items from a population for testing. To do\nso, we employed a risk-based approach to determine a subset of DOT information systems for the EVMS\nPerformance Audit. The universe for this subset only included major systems that are operational.\n\n6\n    http://www.itdashboard.gov\n\n\n\n\n                                                                                                   Page 6\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\nAccordingly, our recommendations are applicable to the sample we tested and were not extrapolated to\nthe population (i.e., all OAs and all MITIs).\n\nReport Writing \xe2\x80\x93 The report writing phase entailed writing a draft report, conducting an exit conference,\nproviding a formal draft report to OIG for review, and preparing and issuing the final report including\nmanagement\xe2\x80\x99s response to the report.\n\n\n\n\n                                                                                                   Page 7\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\n\nIII. RESULTS\n\nFeedback is critical to the success of any project. Timely and targeted feedback can enable project\nmanagers to identify problems early and make adjustments that can keep a project on time and on budget.\nIn addition, early identification of cost and schedule variance information is needed by agency executives\nto monitor and control risks within its investment portfolio. EVM is an effective performance\nmeasurement and feedback tools for managing projects. EVM provides organizations with the\nmethodology needed to integrate the management of project scope, schedule, and cost. Cost data on\nsecurity spending is necessary to help ensure IT investments have adequately identified and budgeted for\nsecurity in a federal IT investment.\n\nIn the following section of the report, we provide the results of our interviews and testing across the\nfollowing sections pertaining to EVM to meet the performance audit objectives above in Section II:\n\n    \xe2\x80\xa2   EVM Governance\n    \xe2\x80\xa2   EVM Tools & Technology\n    \xe2\x80\xa2   EVM Implementation & Performance\n    \xe2\x80\xa2   Security Cost Governance\n    \xe2\x80\xa2   Security Cost Estimating, Analysis and Reporting\n\nEVM Governance\n\nEVM governance consists of the policies, procedures and practices in place to establish requirements for\nEVM implementation and performance management within project and program management practices.\nThe OST is responsible for providing this guidance to the OAs, with the exception of the FAA, which\nutilizes its own acquisition system known as the Acquisition Management System (AMS). The AMS\nestablishes the FAA\xe2\x80\x99s acquisition policy and contains FAA specific EVM guidance. The FAA AMS is\ndiscussed in further detail below.\n\nOST EVM Policy\nThe DOT EVM Policy was initially made effective on January 14, 2008. DOT has since provided updated\nguidance for application across OAs pertaining to the implementation and execution of EVM. DOT EVM\nOrder 1351.22.1 and the DOT Earned Value Management Implementation Guide (EVMIG) were\ndeveloped with the objective of providing guidance to DOT OAs for all projects that require EVM\nimplementation. The DOT EVM Order 1351.22.1 was signed into effect on July 15, 2010 and establishes\nthe EVM policy within the DOT. The policy applies to all DOT IT Investments that are required to\ncomplete an OMB Circular No. A-11, Exhibit 300 business case.\n\nThe DOT EVMIG was first issued in draft form on April 9, 2007. The DOT EVMIG has incorporated\nseven (7) policy revisions and was last updated on September 29, 2010. The DOT EVMIG is designed to\nfacilitate uniform and consistent EVM implementation practices for all relevant DOT IT investments.\nSpecifically, the guide details the DOT requirements for compliance with the 32 ANSI/EIA Standard 748\nguidelines, as well as the investment EVM tier thresholds for EVM reporting.\n\nThe degree to which EVM is applied to MITIs varies depending on the size and complexity of the IT\ninvestment. The DOT EVMIG identifies three (3) tiers of EVM rigor to be applied to IT investments.\nAdditional guidance over consolidated investments is provided within the DOT EVMIG. EVM tiers and\nconsolidated investment guidance is depicted in Table 3 below:\n\n\n\n                                                                                                    Page 8\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\n\n                            Table 3: DOT EVM Tier Thresholds and Requirements\n    Investment        Total Contract Development,                       Description\n    EVM Tier              Modernization, and\n                      Enhancement (DME 7) Value\n                                                   IT investments with total DME costs equal to or\n                                                   greater than $20 million (then-year dollars) must\n       Tier I                    \xe2\x89\xa5$20 M\n                                                   implement an EVMS that fully complies with all\n                                                   ANSI/EIA Standard 748 Guidelines.\n                                                   IT investments with total DME life-cycle\n                                                   acquisition costs equal to or greater than $10\n                                \xe2\x89\xa5 $10 M            million but less than $20 million (then-year dollars)\n      Tier II8\n                                < $20 M            must implement, at a minimum, an EVMS that\n                                                   complies with a subset of ANSI/EIA Standard 748\n                                                   Guidelines as detailed in the DOT EVMIG.\n                                                   IT investments with total DME life-cycle\n                                                   acquisition costs less than $10 million (then-year\n     Tier III 8                 < $10 M            dollars) are not required to implement an EVMS.\n                                                   This does not exclude investments in this tier from\n                                                   performing prudent program management practices.\n\nConsolidated investments, or a collection of separate projects that pool resources and capabilities together\nto facilitate the effective management of all the work necessary to meet strategic objectives, are to apply\nthe Tier I, II, or III EVM requirements to each subordinate investment, and not at the consolidated\ninvestment level.\n\nAdditional DOT Policy Requirements to be applied to Tier I and Tier II investments include:\n   \xe2\x80\xa2 EVM requirements at the investment level shall also be required for all contractor and\n       government entities accomplishing the work.\n   \xe2\x80\xa2 An investment Integrated Baseline Review (IBR) 9 shall be conducted within 180 days after the\n       Performance Measurement Baseline (PMB) has been established and contract(s) awarded. An\n       IBR shall also be conducted when the investment has been rebaselined.\n   \xe2\x80\xa2 IT investment EVM data shall be submitted on a monthly basis using the DOT Capital Planning\n       Tool, or any other agreed upon method with the Associate Chief Information Officer (ACIO) for\n       IT policy oversight. The investment level EVM data shall be derived from the project level EVM\n       data to ensure data consistence and generate an audit trail for how investment level EVM data\n       was derived.\n   \xe2\x80\xa2 A DOT EVM training program shall be established to identify available EVM courses and\n       provide each target audience, including executive-level audiences, with a set of required,\n       suggested, and optional EVM course offerings. OAs may include complementary EVM training\n       under DOT EVM training guidelines to address unique OA requirements or issues.\n7\n  EVM is applied to any budgeted work for DME activities. These activities include all acquisitions necessary to either complete\na new investment or update an existing one. As an investment\xe2\x80\x99s scope and cost increase, a greater level of EVM rigor is\nnecessary to effectively manage the investment. The DOT-wide EVM requirement thresholds are based on the total life-cycle\nDME costs of the investments within the agency\xe2\x80\x99s portfolio. Source: DOT EVMIG dated September 29, 2010.\n8\n  Tier III threshold was increased to $10 M on April 27, 2009. Previously the Tier III threshold was $3 M.\n9\n  The IBR is a critical, comprehensive evaluation of the PMB addressing the identification of inherent risk and baseline realism.\nIt is a joint assessment by the government and contractors that must be performed before any development work has commenced,\nadditional work scope added, or a shift in the content or phasing of the PMB. Source: DOT EVMIG dated September 29, 2010.\n\n\n\n\n                                                                                                                          Page 9\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\n     \xe2\x80\xa2   The Investment Review Board (IRB) for each OA is responsible for reviewing and providing\n         recommendations regarding baseline changes and submit them to the ACIO IT Policy Oversight\n         Office for review and approval by the DOT IRB Executive Committee Staff, prior to final\n         approval by OMB.\n     \xe2\x80\xa2   Investments are required to complete and maintain a comprehensive work breakdown structure\n         (WBS) 10. Additionally, they are required to utilize the DOT\xe2\x80\x99s standard WBS as the organizational\n         foundation for their overall scope.\n     \xe2\x80\xa2   Investments must incorporate work scope and other authorized changes into their PMB 11 in a\n         documented and timely manner.\n     \xe2\x80\xa2   Investments must develop a master schedule, including work tasks and decision points. Activities\n         must have clearly defined start and completion criteria and dependencies between activities must\n         be indicated in an appropriate level of detail. Critical path must be determined. Schedule must\n         then be integrated with WBS (and organizational breakdown structure (OBS) for Tier I\n         investments) to properly track and assess work progress and performance.\n\nThe requirements above were utilized throughout the Testing and Interview Phase to provide a basis for\nthe evaluation of OA and Investment EVM compliance.\n\nWhile DOT policy contains the requirements stated above, OST Management has not developed nor\npromulgated guidance pertaining to the application and management of EVM across OAs and MITIs.\nSpecifically, we noted the following:\n   \xe2\x80\xa2 DOT EVM guidance lacks sufficient program baseline change requirements. Specifically, no\n        formal rebaselining documentation retention requirements have been documented within the DOT\n        EVM guidance for use across DOT OAs.\n   \xe2\x80\xa2 Formalized standards or recommended guidance for validating contractor cost estimates are not\n        documented within the DOT EVMIG and consistently applied across OAs.\n   \xe2\x80\xa2 DOT has not implemented a consistent enterprise approach to managing and applying EVM data\n        across OAs or investments. Specifically, tools and technology utilized to document, track,\n        evaluate, and report EVM data is not standardized across DOT OAs.\n   \xe2\x80\xa2 There is no formalized DOT training program pertaining to EVMS. The OST has not provided\n        standardized EVMS training for utilization within DOT OAs.\n\nWe have included these weaknesses in the Findings and Recommendations section of this report.\n\nSince the OIG report QC-2009-048 dated April 24, 2009, Quality Control Review of the Department\xe2\x80\x99s\nImplementation of Earned Value Management and Security Cost Reporting, DOT EVM Policies and\nProcedures continue to be developed within the department and across OAs. The alteration of EVM\nReporting Tiers (see Table 4) has impacted the degree to which EVM data is being reported. The EVM\nTier II threshold was raised in an effort to align DOT EVM standards with those of the FAA, which\noperates an independent EVM policy as documented below. As a result, a greater number of investments\nnow fall within the Tier III threshold, which does not require the utilization of EVM in projects.\n\n\n\n10\n   The WBS is a tool for defining the hierarchical breakdown of work necessary to meet an investment\xe2\x80\x99s objectives. It is\ndeveloped by first identifying the high level \xe2\x80\x9cbuckets\xe2\x80\x9d of work in the investment. These major components are broken down into\nsmaller ones until they represent distinguishable products or deliverables. Source: DOT EVMIG dated September 29, 2010.\n11\n   The time-phased budget plan against which investment performance is measured. Source: DOT EVMIG dated September 29,\n2010.\n\n\n\n\n                                                                                                                       Page 10\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\n\nFAA EVM Policy\nThe FAA has their own EVMS policy and implementation guidance documented in the AMS. Key\nrequirements of this policy are documented below:\n\n       \xe2\x80\xa2    DME programs must use an EVM system based on the guidelines in ANSI/EIA Standard 748 for\n            the total program effort, including both government and contractor work, according to the\n            following table. Program EVM must be consistent with the acquisition strategy in the\n            implementation strategy and planning document, Section 3.2, Program Control. Major investment\n            programs are those required by the OMB to submit an OMB Exhibit 300. The Joint Resources\n            Council or appropriate investment decision authority (IDA) designates non-major programs\n            required to have an EVMS.\n\n                                 Table 4: Program EVMS Requirements\n           EVMS Requirements         Program Type        Program Type                        Program Type\n                                          Major           Non-Major                              Other\n              Exhibit 300                   R                  T                                  O\n      Integrated Master Schedule            R                  T                                  O\n      Integrated Baseline Review            R                  T                                  O\n      EVM Standard Compliance               R                  R                                  O\n       EVM System Certification             R                  O                                  O\n       R = Required by approving authority\n       T = Tailored: requirement may be tailored by program\n       O = Optional\n\n       \xe2\x80\xa2    Contractor EVM implementation must be consistent with the strategy in the implementation\n            strategy and planning document, Section 2.8, Contract Management. All capital investment\n            programs must use the following table to determine the application of EVM to the development,\n            modernization, and enhancement work assigned to contractors. The requirements apply to all\n            contract types. On an exception basis, low-risk contractor efforts, i.e., firm fixed-price production,\n            may implement EVM within a FAA program office at the program level. Contractor EVM\n            implementation must be based on an assessment of the cost, schedule, and technical performance\n            risk of each contract.\n\n                                Table 5: FAA Contract EVMS Requirements\n           EVMS Requirements            Total Contract Value ($M)    Total Contract Value ($M)\n                                                > $10 M                      < $10 M\n               Exhibit 300                          R                            O\n       Integrated Master Schedule                   R                            O\n       Integrated Baseline Review                   R                            O\n       EVM Standard Compliance                      R                            O\n       EVM System Certification                     R                            O\n       R = Required by approving authority\n       O = Optional 12\n\nThe FAA issued the FAA EVM Guide policy document in March 2012, which provides specific\nimplementation guidance to program managers and contracting officers. The FAA EVM Guide provides\n\n12\n     Source: FAA AMS, Sections 4.16.1 \xe2\x80\x93 4.16.2\n\n\n\n\n                                                                                                           Page 11\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\nFAA program managers, contracting officers, executives, executive committees, and review boards with a\nfurther understanding of the application of EVM concepts in support of program management practices.\nFAA programs apply EVM methodologies to the total program effort, including both government and\ncontractor work, to manage complex, high-risk, high-cost, or high-visibility efforts. This application of\nEVM to performing organizations is highlighted below:\n\n                                  Table 6: EVMS methodologies for organizations\n     Performing                                      EVMS Consideration\n     Organization\n                           Government organizations and personnel (Full-Time Equivalents (FTEs)), while\n                           commonly used to perform program management and oversight, may also perform\n                           engineering, testing, deployment, and logistics support functions. All work and\n     Government\n                           program activities performed by government personnel are assigned using the\n     Organizations\n                           program baseline WBS and are managed using EVM. FAA programs required to\n                           use EVM must include resources for all government DME effort included in the\n                           IDA-approved program baseline.\n                           Major contractors commonly are employed in the areas of design, engineering,\n                           development, deployment, and support functions. All work and program activities\n                           performed by major contractors are assigned using the program baseline WBS and\n         Major\n                           are managed using EVM. FAA programs required to use EVM must include\n       Contractors\n                           resources for all major contractor effort included in the IDA approved program\n                           baseline. Implementation of EVM on major contractor effort must be consistent\n                           with AMS EVM policy, paragraph 4.16.2 Contract Requirements.\n                           Support contractors commonly perform support roles in one or more areas of\n                           program management, engineering, configuration management, test, and logistics.\n                           All work and program activities performed by support contractors are assigned\n        Support            using the program baseline WBS and are managed using EVM. FAA programs\n       Contractors         required to use EVM must include resources for all support contractor effort\n                           included in the -approved program baseline. Implementation of EVM on support\n                           contractor effort must be consistent with AMS EVM policy, paragraph 4.16.2\n                           Contract Requirements.\n\nThe FAA EVM Guide identifies additional requirements for projects requiring the use of EVM, including\nthe use of a standard lifecycle WBS, baseline management and variance monitoring activities, and EVMS\ncertification and surveillance practices.\n\nThe FAA also has provided guidance 13 on program management practices such as:\n   \xe2\x80\xa2 Contractor Management\n   \xe2\x80\xa2 Measurement & Analysis\n   \xe2\x80\xa2 Program Management\n   \xe2\x80\xa2 Quality Assurance\n   \xe2\x80\xa2 Requirements Management\n   \xe2\x80\xa2 Risk Management\n   \xe2\x80\xa2 Verification and Validation\n\n\n\n13\n     http://www.fast.faa.gov\n\n\n\n\n                                                                                                      Page 12\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\n\nEVM Tools and Technology\n\nEVM tools are utilized to create and manage the cost and schedule of projects, including those for\ndeveloping WBS elements, tracking the completion of project activities, and performing EVM related\ncalculations (e.g., cost variance (CV), cost performance index (CPI), schedule variance (SV), schedule\nperformance index (SPI)).\n\nCurrently, there are no prescribed or standard tools selected by OST for managing projects, performing\nproject level EVM calculations or reporting EVM data. However, data types are standardized. For\nexample, although the use of Microsoft (MS) Project is not mandatory, the departmental requirements to\nrecord project management data establish it as a commonly used tool for WBS maintenance and project\nschedule management. The Oracle Primavera Portfolio Management (OPPM) tool, managed by FAA, is\nutilized across OAs for reporting EVM and Investment data. The OPPM tool produces Exhibit 300\nreports (when required) and IT Dashboard postings.\n\nWe noted that reporting tools vary from project to project within an OA. Similarly, they vary from OA to\nOA. These tool types include:\n   \xe2\x80\xa2 EVM Calculation and Reporting (Program / Project Level)\n   \xe2\x80\xa2 EVM Calculations (Investment Portfolio Level)\n   \xe2\x80\xa2 Schedule/WBS Management\n   \xe2\x80\xa2 Cost Accounting\n\nA summarization of the various tools observed for the management of EVM data are documented below:\n\n                               Table 7: EVM Tools and Technology\n    OA         EVM Calculations            EVM         Schedules / WBS             Cost Accounting\n               (Program / Project       Calculations\n                     Data)            (Portfolio Data)\n                  Deltek Cobra\n FAA                                      OPPM            MS Project                   DELPHI\n                EVMS for Project\n FTA                MS Excel                 OPPM              MS Project              DELPHI\n                                                             Management               DELPHI\n NHTSA               Ecosys                  OPPM           Activity Planning      Microsoft Project\n                                                            System (MAPS)               Server\n PHMSA              MS Excel                 OPPM              MS Project              DELPHI\n RITA               MS Excel                 OPPM              MS Project              DELPHI\n OST                MS Excel                 OPPM              MS Project              DELPHI\n FHWA               MS Excel                 OPPM              MS Project              DELPHI\n FMCSA              MS Excel                 OPPM              MS Project              DELPHI\n                                                                                      DELPHI\n FRA             MS Sharepoint               OPPM             MS Sharepoint\n                                                                                    MS Sharepoint\n                                                               MS Project\n MARAD              MS Excel                 OPPM                                      DELPHI\n                                                                OPPM\n\n\n\n\n                                                                                                 Page 13\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\n\nEVM Implementation and Performance\n\nKPMG noted that of the ten (10) OAs and six (6) MITIs selected, only OST, FAA and FAA MITIS\n(ADS-B and NEXCOM) were required per DOT/FAA and ANSI/EIA Standard 748 Guidance to report\nfull EVM data. The table below provides a summary of the OAs and MITIs selected, and the applicability\nof EVM reporting requirements. The security cost data in Tables 8 and 9 for the MITIs was provided by\nDOT and we did not validate the accuracy of the data reported to OMB.\n\n                           Table 8: OA EVM Application and Applicability\n    OA          Number of MITIs       EVM                      Additional Information\n                                     Required\n                                                33 Investments require an Exhibit 300 Business\n                                                Case. EVM is required for multiple FAA MITIs.\n                                                Two of three investments selected for testing meet\nFAA                   33               Yes\n                                                the $10 million Development, Modernization, and\n                                                Enhancement (DME) cost threshold for EVM\n                                                reporting.\n                                                National Transit Database (NTD) Modernization\n                                                Project is the FTA\xe2\x80\x99s only MITI. With a total DME\n                                                cost of less than $4 Million, it is a Tier III\nFTA                    1               No       investment as defined in DOT Order 1351.22.1 (less\n                                                than $10 million). As such, it is not subject to\n                                                formal EVM requirements. EVM has been\n                                                voluntarily applied at the investment level.\n                                                Although an Exhibit 300 business case is required\n                                                for 1 investment, the investment\xe2\x80\x99s DME costs do\nNHTSA                  1               No\n                                                not exceed the $10 million threshold for EVM\n                                                reporting.\n                                                No investments require an Exhibit 300 business case\nPHMSA 14               1               No\n                                                & no investments w/ DME costs > $10 M.\n                                                No investments require an Exhibit 300 business case\nRITA 15                1               No\n                                                and no investments w/ DME costs > $10 M.\n                                                Two (2) investments within OST have DME costs\n                                                exceeding the $20 million threshold for EVM\n                                                reporting. One of the investments selected for\nOST                    4               Yes      testing is a consolidated investment and subordinate\n                                                investments do not exceed the $10 million threshold\n                                                for EVM reporting. The other investment that was\n                                                not selected is Tier I investment.\nFHWA                   0               No       No investments w/ DME costs > $10 M.\n\n\n\n14\n   The PHMSA major investment National Pipeline Information Exchange (NPIX) is shown as requiring an Exhibit 300 on the IT\nDashboard. However, we determined that the investment was not funded during the year, and has been delayed until 2015. As a\nresult, the investment does not require an Exhibit 300 or monthly IT Dashboard update.\n15\n   The RITA major investment Aviation Information System (AIS) is shown as requiring an Exhibit 300 on the IT Dashboard.\nHowever, we determined that the investment was downgraded to a non-major investment, and thus does not require an Exhibit\n300 or monthly IT Dashboard update.\n\n\n\n\n                                                                                                                   Page 14\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\n   OA        Number of MITIs          EVM                           Additional Information\n                                     Required\n                                                      Although an Exhibit 300 business case is required\n                                                      for 3 investments, the investments\xe2\x80\x99 DME costs do\nFMCSA                 3                  No\n                                                      not exceed the $10 million threshold for EVM\n                                                      reporting.\nFRA                   0                  No           No investments w/ DME costs > $10 M.\nMARAD                 0                  No           No investments w/ DME costs > $10 M.\n\n                          Table 9: MITI EVM Application and Applicability\nMITI Selected       Associated        ANSI/EIA          EVM            Additional Information\n                       OA         Standard 748 Tier   Required\n  NEXCOM\n                       FAA                Tier I              Yes        DME Costs for FY 2013 > 10M.\n  Segment 1a\n    ADS-B              FAA                Tier I              Yes        DME Costs for FY 2013 > 10M.\n                                                                         EVM applied to individual\n                                                                         investments. RCISS consists of\n                                        Tier III\n    RCISS              FAA                                     No        multiple projects within the\n                                     (Consolidated)\n                                                                         single investment. For each\n                                                                         project, DME Costs < 10M.\n     NTD              FTA                Tier III              No        DME Costs for FY 2013 < 10M.\n    CDAN             NHTSA               Tier III              No        DME Costs for FY 2013 < 10M.\n                                                                         DOT COE is a collection of\n                                         Tier I                          individual projects, none of\n  DOT COE              OST                                     No\n                                     (Consolidated)                      which exceed $10 million in\n                                                                         DME costs.\n\nWe evaluated the EVMS implementation and performance management practices across OAs based on\nthe EVM requirement status identified above. This includes the evaluation of the following attributes:\n    \xe2\x80\xa2 Whether federal employee and contractor costs resources are assigned project work elements\n    \xe2\x80\xa2 Whether standard EVMS requirements in contracts is used for major investments\n    \xe2\x80\xa2 Whether EVMS system certification is or has been performed for major investments\n    \xe2\x80\xa2 Whether EVMS system surveillance is used for contractors managing EVMS for major\n      investments\n    \xe2\x80\xa2 Whether a standard WBS is used for major investments\n    \xe2\x80\xa2 Whether EVMS training has been provided for those using EVMS\n    \xe2\x80\xa2 The frequency with which EVMS is analyzed minimally monthly in accordance with OST/FAA\n      requirements\n    \xe2\x80\xa2 Whether the Performance Reference Model (PRM) is used to monitor major investment\n      performance\n    \xe2\x80\xa2 Whether EVMS lessons learned are being used to evaluate the use of EVMS\n\nAs noted above, these EVM implementation and performance practices either are required by OMB\npolicy, DOT policy, or are related to industry-based practices. We evaluated these EVM related attributes\nacross each OA and IT investment selected. Table 10 contains a summary of the EVMS implementation\nattributes and the results of our analysis:\n\n\n\n\n                                                                                                   Page 15\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\n\n\n         Table 10: EVMS Implementation & Performance Management for OAs and Investments\n\n\n\n\n                                                                                                                                                       PRM used to monitor\n                                        contract language for\n\n\n\n\n                                                                                                                                                        majors performance\n                    based on who does\n\n\n\n\n                                                                                                   Standard WBS for\n                                                                                                   major investments\n\n\n\n\n                                                                                                                                                                             learned performed\n                     EVMS calculated\n\n\n\n\n                                                                                 EVMS contractor\n                                          Standard EVMS\n\n\n\n\n                                                                                                                                       EVMS analysis\n                                                                                                                       EVMS training\n\n\n\n\n                                                                                                                                                                               EVMS lessons\n                                                                EVMS system\n                                                                 certification\n\n\n\n                                                                                   surveillance\n\n\n\n\n                                                                                                                                         frequency\n                                                                                                                         provided\n                                               majors\n\n\n\n\n                                                                                                                                                              (Y/N)\n\n\n\n\n                                                                                                                                                                                   (Y/N)\n                          (Y/N)\n\n\n\n\n                                               (Y/N)\n\n\n\n                                                                    (Y/N)\n\n\n\n                                                                                      (Y/N)\n\n\n\n                                                                                                         (Y/N)\n\n\n\n                                                                                                                          (Y/N)\n                           work\n     OA\n(Investments)\n\n\n\n\n                                                                             EVM REQUIRED\n                                                                       1\n     FAA                 Y                    Y                     N               N2                 Y                   Y           Monthly                 Y                    Y\n\n     OST                 N3                   Y                      Y               Y                 Y                  N4           Monthly                 Y                    Y\n\n                                                                         EVM NOT REQUIRED\n          6\n     FTA                 Y                     Y                     N               N                 N                   N           Monthly                 Y                    Y\n\n   NHTSA6                N                     N                     N               N                 N                   N                 N/A               Y                    N\n\n   PHMSA5                N                     Y                     N               N                 N                   N           Monthly                 Y                    N\n\n    RITA5                N                    Y                      N               N                 N                   N           Quarterly               Y                    N\n\n    FHWA6                Y                     N                     N               N                 N                   N           Monthly                 N                    N\n\n   FMCSA6                N                    Y                      N               N                 Y                   Y           Monthly                 N                    N\n\n     FRA5                N                     Y                     N               N                 N                   N           Monthly                 Y                    Y\n\n   MARAD5                Y                     Y                     N               N                 Y                   N                 N/A               Y                    N\nTick Mark Legend:\n1\n  FAA has not fully enforced EVMS certification over contractor operated EVMS in accordance with FAA policy.\n2\n  FAA has not fully implemented EVMS contractor surveillance practices, including the performance of IBRs in accordance with FAA policy.\n3\n  See Section: \xe2\x80\x98EVM Governance\xe2\x80\x99 for documentation of findings identified pertaining to EVMS calculations and contractor cost validation\nmethods.\n4\n  See Section:\xe2\x80\x99 EVM Governance\xe2\x80\x99 for documentation of findings identified pertaining to EVM training.\n5\n  DOT represented that there are no major investments currently reported by the OA.\n6\n  The criteria is not required based on investment tier per DOT EVM policy and ANSI/EIA Standard 748 Guidelines.\n\n\nAlthough Tier III MITIs and OAs with no major investments are not required to adhere to DOT EVM\nrequirements, the analysis of EVM performance and implementation was performed over all OAs and\nMITIs selected. As a result, findings are identified for only those investments required to adhere to OMB,\nDOT, and FAA guidance regarding EVM. The increase in the Tier II threshold contributed to an\nincreased exclusion of OAs and MITIs requiring the utilization of EVM.\n\nThe analysis performed indicates that OAs and investments are inconsistently applying EVMS\nimplementation and performance practices.\n\nThese weaknesses have been included in the Findings and Recommendations section of this report.\n\n\n\n\n                                                                                                                                                                                 Page 16\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\nSecurity Cost Governance\n\nOST is responsible for providing policies and procedures over the OAs for estimating, analyzing and\nreporting IT security costs. We noted that OST has developed policies and procedures for estimating,\nanalyzing, and reporting IT security cost estimates, and has promoted guidance which forms the\nfoundation for the Department of Transportation Information Systems Security Program.\n\nDOT Information Systems Security Policy\nDOT CyberSecurity Policy Order 1351.37 and the Departmental Cybersecurity Compendium\nsupplemental guidance establish the processes, procedures, and standards of the Department of\nTransportation Information Systems Security Program. DOT EVM Order 1351.37, dated June 21, 2011,\nprovides IT Security process and procedural guidance, and documents pertinent security responsibilites of\nadministrative personnel within DOT and its OAs (listed as \xe2\x80\x9ccomponents\xe2\x80\x9d within the document). The\nresponsibilities include:\n\n    \xe2\x80\xa2   On an Information System level, Authorizing Officials (AO) are responsible for ensuring\n        vulnerabilities and weaknesses associated with unacceptable risks are listed in the information\n        system Plan of Action and Milestones (POA&M), which is updated quarterly. For POA&M items\n        that require resources, the AO must specify whether funds will come from a reallocation of base\n        resources or a request for new funding. If a request for new funding is deemed necessary, the AO\n        must provide the Component Chief Information Officer (CIO) and DOT CIO a brief rationale to\n        support the request.\n    \xe2\x80\xa2   On an Information System level, System Owners (SO) are responsible for:\n            - Categorizing the criticality/sensitivity of the information system in accordance with\n                Federal Information Processing Standards (FIPS) 199 and ensuring the categorization\n                receives the approval of AO.\n            - Implementing a level of security commensurate with the information system impact level.\n            - Including security considerations and identify associated security funding requirements in\n                the procurement of information system software, hardware, and support services,\n                including information system development, implementation, operation and maintenance,\n                disposal activities (i.e., life cycle management), and weakness remediation / mitigation\n                associated with unacceptable risks tracked in POA&M.\n\nThe Departmental Cybersecurity Compendium, dated June 14, 2011, provides further detail on\nDepartment-wide cybersecurity policies and controls. Relevant requirements include:\n\n\xe2\x80\xa2   DOT Components must (Control SA-2: Allocation of Resources):\n          - Include a determination of information security requirements for the information system\n             in mission/business process planning.\n          - Determine, document, and allocate the resources required to protect the information\n             system as part of its capital planning and investment control process.\n          - Establish a discrete line item for information security in organizational programming and\n             budgeting documentation.\n\xe2\x80\xa2   DOT Components must (Control PM-3: Information Security Resources):\n          - Ensure that all capital planning and investment requests include the resources needed to\n             implement the information security program and documents all exceptions to this\n             requirement.\n          - Employ a business case/Exhibit 300/Exhibit 53 to record the resources required.\n          - Ensure that information security resources are available for expenditure as planned.\n\n\n\n                                                                                                  Page 17\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\n\nSecurity Cost Estimating, Analyzing and Reporting\n\nAcross OAs, management represented that historical information and a risk-based approach to addressing\nsecurity weaknesses were used to estimate security costs. OAs applied different methods for security cost\nreporting and for calculating security related cost inputs. MITIs followed the OAs methods for estimating\nsecurity costs (i.e., NEXCOM, ADS-B, and RCISS follow FAA, NTD follows FTA, and CDAN follows\nNHTSA). These security costs were funded either at the investment level, centrally through the program\noffice, or as a combination of the two methods.\n\nTable 11 contains a summary of how management represents how each OA reported their security costs\nand demonstrates the inconsistency of security costs reporting across the DOT.\n\n                           Table 11: Security Cost Estimating and Reporting by OA\n      OA           Policy for                            Security related costs\n                   developing\n                     security\n                    estimates\n                      (Y/N)\n                                  Investments map security spending to the following (13) security\n                                  elements:\n                                  \xe2\x80\xa2 Anti-Virus Software Licensing Costs\n                                  \xe2\x80\xa2 Anti-Malware Software Licensing Costs\n                                  \xe2\x80\xa2 Intrusion Detection Systems Licensing Costs\n                                  \xe2\x80\xa2 Intrusion Prevention Systems Licensing Costs\n                                  \xe2\x80\xa2 Web Filtering Software Licensing Costs\n                                  \xe2\x80\xa2 Email filtering software\n                                  \xe2\x80\xa2 Security Information Management (SIM) / Security Information\n                                      and Event Management (SIEM )tools\nFAA                     N         \xe2\x80\xa2 Data Leakage Protection tools\n                                  \xe2\x80\xa2 Costs for NIST Special Publication (SP) 800-37 implementation\n                                  \xe2\x80\xa2 Costs for annual FISMA testing\n                                  \xe2\x80\xa2 Costs for network penetration testing activities\n                                  \xe2\x80\xa2 Security awareness training costs\n                                  \xe2\x80\xa2 Security training costs for employees with significant security\n                                      responsibilities\n\n                                   Security costs are incorporated into project WBS. Organizational IT\n                                   Security spending includes governance training and compliance\n                                   through the Office of Information Systems Security group.\n                                   Factors that influence security costs include the Information System\n                                   Security Manager (ISSM) and his backups, the security contractor\n                                   who conducts the Security Assessment and Authorization (SA&A),\n                                   and known costs for specific items such as Personal Identity\nFTA                     N\n                                   Verification (PIV) card enabling.\n\n                                   On a project basis, contractors who are performing specific security\n                                   tasks bill to a designated security Contract Line Item Number (CLIN).\n\n\n\n\n                                                                                                  Page 18\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\n      OA          Policy for                             Security related costs\n                  developing\n                    security\n                   estimates\n                     (Y/N)\n                                 Systematic and risk based prioritization of information security\n                                 funding. Security costs for each control include the costs for the FTE\n                                 allocation, federal oversight and hardware/software/services levels\n                                 during the investment\xe2\x80\x99s select CPIC phase.\nNHTSA                 N\n                                 When an investment is created, default numbers are entered with\n                                 iREx. The Project Manager (PM) is responsible for revising and\n                                 validating the cost data.\n                                 PHMSA investment owners work with IT Security Team /\n                                 Information Systems Security Officer (ISSO) team to ensure security\n                                 costs are properly funded. This includes Certification and\n                                 Accreditation (C&A) activities and completing POA&Ms.\nPHMSA                 Y\n                                 System owner estimates the POA&M cost in hours. The system\n                                 owner then works with the IT project manager to determine an overall\n                                 remediation cost by multiplying the number of hours by the\n                                 appropriate rate(s). The project owner then supplies the security team\n                                 with dollar amounts to resolve each POA&M to enter into CSAM.\n                                 Security Cost considerations include costs of security assessments,\n                                 system security plan, vulnerability scanning and remediation, anti-\n                                 virus and anti-malware products, system-specific security training,\nRITA                  N          and development of the secure baseline configuration of the system.\n                                 Most security costs are borne at the RITA CIO level and not\n                                 embedded in the project budgets. Security cost estimation is\n                                 inconsistently performed at the project level.\n                                 Security awareness training, privacy training, and Federal Information\n                                 Security Management Act of 2002 (FISMA) reporting tool use\n                                 (CSAM). Funds are requested by OST from the OAs for these\nOST                   N          services.\n\n                                 Costs for certification and accreditation, risk assessments, and risk\n                                 mitigation activities are captured in the budgets of major investments.\n                                 Risk assessments capture current level of risk for the system, provides\n                                 risk mitigation strategies, and recommended level of effort (FTE\n                                 hours and cost) to fund the implementation of recommended IT\n                                 security controls to comply with FISMA (NIST SP 800-53 annual\nFHWA                  N\n                                 control testing, DR testing, security plan review, etc.). Risk level is\n                                 calculated based on the determined likelihood and magnitude of\n                                 impact for each vulnerability. A cost performance rating is\n                                 determined based on the estimated level of effort.\n\n\n\n\n                                                                                                 Page 19\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\n      OA           Policy for                               Security related costs\n                   developing\n                     security\n                    estimates\n                      (Y/N)\n                                    Centrally funded costs \xe2\x80\x93 Security awareness training, intrusion\n                                    detection, incident response, vulnerability management, contingency\n                                    plan and test, security assessment and authorization and privacy\n                                    impact assessment.\nFMCSA                   N\n                                    Program costs \xe2\x80\x93 security controls and costs to comply with FISMA\n                                    (NIST SP 800-53 annual control testing, annual disaster recovery\n                                    (DR) testing, security plan review, etc.).\n                                    IT Security teams conduct cost analysis at control level. WBS\n                                    contains system specific security activities and costing data. IT\nFRA                     N\n                                    Security assigns work hours to the activity. Resource sheets assign\n                                    hourly rates to resources.\n                                    Monthly vulnerability scanning performed. Risk classification\n                                    determines funding. Costs are estimated with the Federal Enterprise\nMARAD                   Y           Architecture Security and Privacy Profile (FEA SPP) Prototype, a\n                                    tool used to estimate the remediation costs based on the NIST control\n                                    that is rendered vulnerable by the risk.\n\nWe did not validate the security cost estimates, because a standard security cost estimation process does\nnot exist and has not been developed nor promulgated by OST. While a small number of proprietary tools\nare used by individual OAs (i.e., NHTSA uses iREx to calculate its security costs), a standard policy or\ntool suite has not been implemented across DOT. OST acknowledged this and stated that security cost\nestimation procedures are in the process of being finalized, and noted that a March 30, 2014 deadline is in\nplace to \xe2\x80\x9cDevelop and/or revise the Department\xe2\x80\x99s EA procedures to address the following: creation of a\nstandardized methodology that provides reliable estimates of security funding needed for system\ninvestments.\xe2\x80\x9d OST Management stated that they anticipate meeting this target delivery date. This finding\nwas reported within the FY 2013 DOT FISMA Report, Report Number: FI-2014-006, issued November\n22, 2013. This will not be issued as part of the FY2014 DOT EVM Performance Audit. Please refer to the\nreferenced FISMA Report for additional information and current remediation progress.\n\nBecause DOT has not provided guidance on estimating IT security costs, the security estimates are being\nself-reported by the OAs and do not follow any consistent, predictable methodology from which future\nprojections can be based. Finally, the security costs for the common IT services (i.e., DOT COE) do not\nfollow a consistent methodology that provides a reasonable estimate of future security costs based on the\nservices rendered as the subordinate investments are migrated to the common operating environment.\nPlease refer to Appendix I for DOT\xe2\x80\x99s progress in addressing prior-year recommendations from the OIG\nreport QC-2009-048 dated April 24, 2009, Quality Control Review of the Department\xe2\x80\x99s Implementation of\nEarned Value Management and Security Cost Reporting.\n\n\n\n\n                                                                                                    Page 20\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\n\nIV. FINDINGS AND RECOMMENDATIONS\n\n1. Insufficient program baseline change requirements across the DOT.\n\n   DOT EVM guide lacks sufficient guidance on the rebaselining documentation retention for use across\n   DOT OAs. Specifically, a defined documentation set to be retained in the event of a formal project\n   baseline change has not been incorporated into Departmental policy.\n\n   OST, who has a responsibility for coordinating and promulgating EVM requirements, has not had\n   adequate resources dedicated to creating and promulgating EVM requirements, specifically\n   documentation retention requirements pertaining to program rebaselining decisions to be leveraged\n   across OAs. Without documented retention requirements or a DOT standard list of documents to be\n   retained in the event of a program rebaseline, rebaseline documentation may not be retained or made\n   available in the event a review of the rebaseline decision is performed. Rebaseline documentation is\n   important to prevent any unauthorized revisions of the PMB. Documents retained may also be\n   inconsistent among agencies, resulting in inconsistent post-execution reviews of program baseline\n   changes.\n\n   We recommend that OCIO update the DOT EVMIG to establish operational requirements and\n   document a defined or recommended set of documents to be retained in the event of a formal project\n   baseline change.\n\n\n2. Standards for contractor cost validation not identified across the DOT.\n\n   Formalized standards or recommended guidance for validating contractor cost estimates are not\n   documented within the DOT EVMIG.\n\n   OST Management indicated a lack of consistency in the validation process, specifically, in regards to\n   the coordination between the Contracting Officer\xe2\x80\x99s Technical Representative (COTR) and\n   Procurement groups, in efforts to validate the accuracy of contractor cost estimates prior to\n   acceptance.\n\n   Contractor cost estimates are required to be independently validated within their respective OAs\n   during the IBR process, as the submission of accurate contractor cost data is critical to the consistent\n   and accurate EVM reporting. However, recommended methodologies are not identified within DOT\n   guidance to assist in the consistent analysis of submitted contractor costs.\n\n   OST, who has responsibility for coordinating and promulgating EVM requirements, has not had\n   adequate resources dedicated to creating and promulgating EVM requirements, specifically in regard\n   to the development and inclusion of contractor cost validation guidance into DOT policy. Without\n   formalized standards or recommended guidance for the validation of contractor cost estimates, control\n   account estimates may be inconsistently validated across OAs and investments by program\n   management. Submitted contractor costs are at risk of being accepted without sufficient validation or\n   review, thus hindering DOT\xe2\x80\x99s objective of providing timely, valid, and auditable investment cost and\n   schedule status information to program managers, senior managers, executive sponsors, and\n   stakeholders.\n\n\n\n\n                                                                                                    Page 21\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\n   We recommend that the Office of the Senior Procurement Executive (OSPE) with assistance from the\n   OCIO:\n\n       1. Update policies and procedures for the validation of contractor cost estimates, and\n          incorporate them into the DOT EVMIG and applicable DOT IBR guidance for Contracting\n          Officers.\n\n       2. Develop policies and procedures for the retention of COTR and Procurement documented\n          conclusions on the validity of provided contractor cost estimates.\n\n\n3. Inconsistent EVM data tracking and reporting methods across the DOT.\n\n   While the DOT has implemented an enterprise approach to EVM portfolio data, it has not\n   implemented a consistent approach to managing and applying EVM data for programs and projects.\n   Specifically, tools and technology utilized to document, track, evaluate, and report program and\n   project EVM data are not standardized across DOT OAs.\n\n   OST, who has responsibility for coordinating and promulgating EVM requirements, has not had\n   adequate resources dedicated to creating and promulgating EVM requirements, specifically in regard\n   to the development of an enterprise approach to EVM for projects. OST noted that due to the varying\n   sizes of agencies and the variety of investments therein, the implementation of a required set of tools\n   for EVM would require a disproportionately high level of effort and resources. Without a\n   standardized set of EVM reporting tools, EVMS may be inconsistently implemented and maintained\n   across OAs. The utilization of varied tools and technologies across OAs introduces the risk EVM data\n   being reported and secured inconsistently, and hinders DOT\xe2\x80\x99s ability to provide a robust training\n   curriculum as tools and reporting methods are not consistent across OAs. DOT may not be\n   recognizing the benefits of consistent and reliable information through the leveraging of an enterprise\n   approach in regard to the implementation of EVM in projects.\n\n   We recommend that OCIO develop procedures to standardize program and project EVM data for all\n   OAs.\n\n\n4. No formalized EVMS training program established across the DOT.\n\n   There is no formalized DOT training program pertaining to EVMS. The OST has not provided\n   standardized EVMS training for utilization within DOT OAs.\n\n   OST, who has responsibility for coordinating and promulgating EVM requirements, has not had\n   adequate resources dedicated to creating and promulgating EVM requirements, specifically in regard\n   to a dedicated EVMS specific training program to be leveraged across DOT OAs. Without\n   documented and formalized EVMS training, EVMS may be inconsistently applied across projects\n   requiring its use. EVMS requirements are at risk of being reported improperly or neglected, reducing\n   the reliability of reported EVMS data. Key personnel without appropriate training are at risk to\n   contribute to delays in the execution of reporting requirements and deliverables as defined by DOT\n   and OMB policy.\n\n   We recommend that OCIO:\n\n\n\n                                                                                                   Page 22\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\n       1. Provide a platform or mechanisms for ensuring appropriate personnel managing programs\n          that require EVM reporting must obtain OCIO and OSPE sponsored training prior to\n          awarding contract.\n\n       2. Work with appropriate DOT personnel to ensure training qualifications are maintained in a\n          designated repository.\n\n\n5. Inconsistent Integrated Baseline Review (IBR) performance and tracking at Federal\n   Aviation Administration (FAA).\n\n   IBR performance has not been consistently executed by investment program management and EVM\n   Focal Point staff in accordance to FAA and DOT policy requirements.\n\n   Two investments selected (NEXCOM Segment 1a and ADS-B) did not sufficiently perform required\n   IBR performance and reporting actions, as documented below:\n\n       \xe2\x80\xa2   NEXCOM Segment 1a performed a contractor IBR in excess of the maximum time\n           requirement of 180 days for IBR performance. Contract award was stated as February 9-10,\n           2009, while the contractor IBR was not performed until September 25, 2009.\n       \xe2\x80\xa2   ADS-B conducted a program level IBR in 2008; however, a formalized IBR report was not\n           developed or disseminated to stakeholders following execution. Additionally, ADS-B has not\n           performed the required program level IBR associated with the final investment decision (FID)\n           made on May 30, 2012, for the ADS-B program segment spanning from FY2014 \xe2\x80\x93 FY2020.\n\n   Due to improper IBR execution, the validation and assessment of key project attributes (i.e., planning\n   activities, performance measures, contract revisions, significant changes to the PMB, schedule\n   feasibility, and essential program elements) has not been performed. As a result, FAA and DOT\n   Management are unable to validate monthly reported EVM data for accuracy or completeness.\n\n   FAA, who has a responsibility for coordinating and promulgating EVM requirements, has not\n   consistently monitored key reporting activities per the AMS policy and ANSI/EIA Standard 748\n   guidelines. Specifically, program management has not received adequate training in regards to the\n   performance or execution of a contractor IBR. Training was not completed prior to the required\n   execution of the IBR, which resulted in delayed IBR performance. Additionally, a mechanism for\n   tracking and reporting planned IBRs was only recently been developed for use by the FAA Focal\n   Point group. Without completed provisions and monitoring of EVMS standardization and\n   implementation, EVMS may be inconsistently applied across projects requiring its use. Without\n   proper IBR execution, the validation and assessment of planning activities, identification of useful\n   and accurate performance measures, contract revisions, significant changes to the PMB, schedule\n   feasibility, and essential program elements are not appropriately performed. EVMS requirements are\n   at risk of being reported improperly or neglected, and reducing the reliability of reported EVMS data.\n   Projects are at risk of being funded while exhibiting significant program deficiencies.\n\n   We recommend that FAA Management:\n\n       1. Further develop the FAA EVMS Training Module to promote consistency of reporting and\n          awareness of EVMS requirements, specifically program and contractor IBR requirements.\n\n\n\n\n                                                                                                  Page 23\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\n       2. Require that the program teams attend corresponding trainings and EVM Focal Point staff\n          will be responsible for the development and implementations of training.\n\n       3. Develop a method for holding the program manager responsible for ensuring the timely\n          execution of the IBR.\n\n       4. Retain evidence of requests for IBR deferrals past the required 180 day threshold. Require\n          this evidence to be presented during the IBR Status Reports conducted with Joint Resources\n          Council (JRC).\n\n\n6. Insufficient contractor EVMS certification and surveillance at FAA\n\n   Contractor EVMS has not been appropriately certified by FAA to meet the guidelines of ANSI/EIA\n   Standard 748 as required by DOT and FAA policy. Additionally, FAA Management has not\n   appropriately enforced contractor EVMS certification requirements, having permitted the continued\n   operation and utilization of a non-certified contractor EVMS.\n\n   Per FAA policy, the EVM Focal Point is responsible for assessing and validating EVM\n   implementation and monitoring application to ensure compliance. The Office of Information\n   Technology Value Management Office (AIT) is responsible for certifying program EVM systems.\n   However, the prime contractor (\xe2\x80\x9cCrown Consulting Inc.\xe2\x80\x9d) EVMS utilized by the NEXCOM Segment\n   1a investment has not been certified.\n\n   As the contractor EVMS is not certified, reported EVM data for NEXCOM Segment 1a cannot be\n   consistently validated for accuracy or completeness.\n\n   FAA, who has a responsibility for coordinating and promulgating EVM requirements, has not\n   consistently monitored key reporting activities per the AMS policy and ANSI/EIA Standard 748\n   guidelines. EVMS certification requirements, although defined, are not adhered to by EVM Focal\n   Point staff, as penalties for non-compliance are not defined nor enforced. EVMS certification has\n   been delayed as a result of the contactor\xe2\x80\x99s inability to meet required certification criteria. However,\n   program reporting and acceptance of EVMS generated data was not halted as penalties for non-\n   compliance were not enforced. Lack of an actionable set of repercussions enabled the continued\n   operation and reliance upon the non-certified EVMS. Without completed provisions and monitoring\n   of EVMS standardization and implementation, EVMS may be inconsistently applied across projects\n   requiring its use. EVMS requirements are at risk of being reported improperly or neglected, reducing\n   the reliability of reported EVMS data.\n\n   We recommend that FAA Management:\n\n       1. Develop policies and procedures documenting time requirements for certification of\n          Contractor EVMS, as well as follow-up requirements to occur in the event contractor EVMS\n          is unable to achieve certification.\n\n       2. Certify the Crown EVMS for NEXCOM.\n\n       3. Perform analysis of investments underdevelopment and associated contractor EVMS to\n          identify non-certified systems currently being used to report EVM data and perform analysis\n          to determine impact of utilization of non-certified EVMS.\n\n\n                                                                                                   Page 24\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\n\n       4. Incorporate the timely and consistent tracking of EVMS certification into year-end\n          performance metrics for EVM Focal Point staff.\n\n\n\n\n                                                                                             Page 25\n\x0cDepartment of the Transportation - EVM and Security Cost Reporting Performance Audit -2014\n\n\nV. MANAGEMENT RESPONSE TO THE REPORT\n\nThe following is the DOT CIO\xe2\x80\x99s response, dated June 19, 2014, to the DOT EVM and Security Cost\nReporting 2014 Performance Audit report.\n\n\n\n\n                                                                                             Page 26\n\x0c                                                                       Memorandum\n       U.S. Department\n       of Transportation\n\n       Office of the Secretary\n       of Transportation\n\n\n\n               ACTION: Response to the OIG Draft Report                          Date:\n               On US DOT EVMS Program and Practices for FY 2014\nFrom:                                                                         Reply to\n               Richard McKinney                                                Atn of\n               Chief Information Officer (CIO\n  To\n\n               Louis King\n               Assistant Inspector General for Financial and\n               Information Technology Audits\n\n\n\n\n   The Department of Transportation's (DOT) Office o f t h e Chief Information Officer (OCIO) continues to\n   refine the use of the Department's Earned Value Management System (EVMS) and the value it brings to\n   the project management community. While we have made progress in maturing the use of the EVMS,\n   we will continue that progress and work to make EVMS a tool that helps drive decision making. Going\n   forward, the (OCIO) will work to update EVM policy and implementation guidance that will enhance\n   our ability to l everage best practices for training our program managers to ensure they have the core\n   knowledge to apply EVM to applicable programs. Additionally, we will strengthen the procedures for\n   validating contractor cost estimations and establish a required set of documents to support program\n   rebaselining decisions. These actions should posture the Department to EVMS success.\n\n\n\n   RECOMMENDATIONS AND RESPONSE\n\n   Recommendation 1: We recommend that OCIO update the DOT EVMIG to establish operational\n   requirements and document a defined or recommended set of documents to be retained in the event of a formal\n   project baseline change\n\n\n   Response: Concur. The Director of IT Governance will update the Earned Value Management\n   Implementation Guide (EVMIG), setting forth clear operational procedures and documents required to\n   support program rebaseline changes over the lifecycle for projects geared towards development,\n   modernization, and enhancement activities. Expected completion date for this recommendation is December\n   31, 2014.\n\n\n   Recommendation 2: We recommend that the Office of the Senior Procurement Executive (OSPE) with\n   assistance from the OCIO:\n\n          1.    Update policies and procedures for the validation of contractor cost estimates, and incorporate them\n               into the DOT EVMIG and applicable DOT IBR guidance for Contracting Officers.\n\x0c        Response: Concur. OCIO will work with OSPE in providing policy and procedural updates to\n        strengthen EVM guidance that will outline requirements for validating contractor cost estimates.\n        The updates will ensure program managers are aware of and comply with requirements outlined in\n        Federal Acquisition Regulation policy on contractor cost estimation and IBRs. OCIO proposed\n        updates will be coordinated with the OSPE. Guidance updates are expected to be complete no\n        later than September 30, 2014.\n\n\n    2. Develop policies and procedures for the retention of COTR and Procurement documented\n       conclusions on the validity of provided contractor cost estimates.\n\n        Response: Concur. OCIO will work with OSPE in drafting EVM policy and procedural guidance\n        updates and coordinate recommendations with OSPE. Policy and guidance updates will focus on\n        procedures for retaining appropriate procurement documents used to assess and validate contractor\n        cost estimates. The revised guidance and policy are expected to be complete no later than\n        September 30, 2014.\n\n\nRecommendation 3:        We recommend that OCIO develop procedures to standardize program and project\nEVM data for all OAs.\n\nResponse: Concur. OCIO will work to update the EVM guidance, which will outline procedures for providing\nstandard data or artifacts required to measure the effectiveness of EVM and improve oversight I monitoring of\nbaseline changes for affected OA programs. The updated guidance is expected to be complete no later than\nDecember 31, 2014.\n\n\nRecommendation 4: We recommend that OCIO:\n   1. Provide a platform or mechanisms for ensuring appropriate personnel managing programs that require\n      EVM reporting must obtain OCIO and OSPE sponsored training prior to awarding contract.\n\n        Response: Concur. OCIO will work with OSPE to leverage existing training provided through\n        Federal Acquisition Institute, Defense Acquisition and other methods such as web based and/or\n        computer based modules for project management professionals. The training is expected to provide\n        the appropriate information for Project Managers and Program Managers to achieving at least\n        minimum proficiency and certification levels for managing EVM affected programs. The planned\n        completion is no later than March 31, 2015.\n\n    2. Work with appropriate DOT personnel to ensure training qualifications are maintained in a\n       designated repository.\n\n        Response: Concur. OCIO will work with Department stakeholders to identify a designated\n        repository for storing and maintaining EVM training qualifications. Once selected, the repository is\n        intended to be maintained in a similar manner as that which is required for Program Management\n        proficiency training. Expected date for completion is March 31, 2015.\n\n\nRecommendation 5: We recommend that FAA Management:\n   1. Further develop the FAA EVMS Training Module to promote consistency of reporting and\n      awareness of EVMS requirements, specifically program and contractor IBR requirements.\n\x0c        Response: Concur. The current Basic and Advanced EVM training does provide training on the need\n        to conduct both contractor and program level IBRs. The training module will be reviewed and revised\n        as needed to promote consistency in the reporting and awareness of EVM requirements for both\n        program and contract IBRs. The EVM Focal Point will review and update the training material by June\n        30, 2014.\n\n   2.   Require that the program teams attend corresponding trainings and EVM Focal Point staff will be\n        responsible for the development and implementations of training.\n\n        Response: Concur. EVM training is planned and scheduled prior to each fiscal year. The\n        schedule is published in FAA's eLearning Management System (eLMS). The program teams that\n        require training will be informed of the requirement, directed to sign up for the training, and their\n        attendance will be tracked through eLMS. Those requiring the training and not signed up will be\n        contacted along with their Directors to ensure that they take the training in accordance with the\n        established schedule. This provision for the tracking of training for the program teams will begin by\n        July 1, 2014.\n\n   3. Develop a method for holding the program manager responsible for ensuring the timely execution\n      of the IBR.\n\n        Response: Concur. The EVM Focal Point, in coordination with the program managers, has\n        developed a list of the required IBRs and is now tracking their conduct. The EVM Focal Point will\n        coordinate the development of a method to hold program managers responsible for timely\n        execution of IBRs with the Directors of the programs. The FAA will provide the OIG with an update\n        on this effort by September 30, 2014.\n\n   4.    Retain evidence of requests for IBR deferrals past the required 180 day threshold. Require this\n        evidence to be presented during the IBR Status Reports conducted with Joint Resources Council (JRC).\n\n        Response: Concur. The FAA will require the program managers to provide a rationale for\n        deferring IBRs past the required 180 days deadline date through the EVM Focal Point. The EVM\n        Focal Point will provide the information collected to the JRC in the quarterly EVM status briefing\n        starting June 25, 2014. The EVM Focal Point will revise the IBR date on the IBR tracking sheet and\n        monitor the conduct until the IBR is completed.\n\nRecommendation 6: We recommend that FAA Management:\n\n   1. Develop policies and procedures documenting time requirements for certification of Contractor EVMS, as\n       well as follow-up requirements to occur in the event contractor EVMS is unable to achieve certification.\n\n        Response: Concur. The FAA will develop policies and procedures documenting time\n        requirements for contractor EVMS certification. These new policies and procedures will include\n        follow-up requirements if the contractor is unable to achieve certification within the time\n        requirements. The FAA plans to accomplish this effort by September 30, 2014.\n\x0c2. Certify the Crown EVMS for NEXCOM.\n\n     Response: Concur. The EVM Focal Point certified the Crown EVMS during the week of May\n     12, 2014. There were no corrective actions but there were recommendations made. The final report\n     will be issued by July 15, 2014. The certification letter that validates the EVMS will be developed\n     and provided to the FAA Acquisition Executive for signature by July 31,\n     2014, at which time the FAA will provide the OIG a copy of the letter.\n\n\n3.   Perform analysis of investments under development and associated contractor EVMS to identify non-\n     certified systems currently being used to report EVM data and perform analysis to determine impact of\n     utilization of non-certified EVMS.\n\n     Response: Concur. The investments that are under contract that have the requirement for a\n     certified EVMS and have yet to be certified will be identified, a list will be developed ,and\n     timeframes established for the certification of these EVMS. The contractors with the non-\xc2\xad certified\n     EVMS will be determined by July 31, 2014, and the list with timeframes will be developed by August\n     29, 2014. The timing of the conduct of the EVMS certifications will be coordinated between the\n     contracting officer responsible for managing the contract and the EVM Focal Point. The contracting\n     officer will ensure, with assistance from the EVM Focal Point, that the certifications are conducted\n     within the established timeframe. If EVMS certifications are required, an analysis will be performed\n     to determine the impact of the utilization of non-certified EVMs on investment programs. This effort\n     should be completed no later than September 30, 2014.\n\n4.   Incorporate the timely and consistent tracking of EVMS certification into year-end performance metrics\n     for EVM Focal Point staff.\n\n     Response: Concur. The annual performance plan of the EVM Focal Point developed by\n     management captures the requirement to track and conduct EVMS certifications. These\n     requirements are also captured in the annual Division Level Work Plan. The annual performance\n     plan is developed and signed by both management and the EVM Focal Point in October of each\n     year and is reviewed periodically during the year. This process includes a mid-year review, which is\n     conducted in April, and the year-end performance review and assessment, which is conducted\n     annually in September of each year. The Division Level Work Plan is reviewed on a quarterly basis\n     and updated as required. Additionally, the EVM Focal Point meets bi-weekly with management for a\n     status review which includes a report on the tracking and results from the conduct of EVMS\n     certifications. The agency believes it has complied with this recommendation and requests that it be\n     closed.\n\n\nThe Office of the DOT CIO appreciates the opportunity to review and respond to the report. If you have\nany questions concerning the response, please contact Walter McDonald at (202) 366-6067, or by email\nat walter.mcdonald@dot.gov\n\x0cStatus of Prior-Year Findings                                                                                                   Appendix I\n\nAPPENDIX I \xe2\x80\x93 STATUS OF PRIOR-YEAR FINDINGS\n\nAs part of this year\xe2\x80\x99s Performance Audit, we followed up on the status of the recommendations from the\nOffice of Inspector General (OIG) report QC-2009-048, dated April 24, 2009, Quality Control Review of\nthe Department\xe2\x80\x99s Implementation of Earned Value Management and Security Cost Reporting.\n\n  Finding #                      Prior-Year Condition                          Recommendation                          Status\n2008\xe2\x80\x901:           During our review of the EVMS used at the Department of     A. Ensure that           Implemented/Closed\nControls Over     Transportation (DOT), we identified the following           controls over the\nthe Reliability   exceptions related to the reliability of EVMS data:         process of collecting    A. EVM tools and technology were\nof Earned                                                                     and reporting EVM        restricted to individuals using role-\nValue             A.   Controls to prevent unauthorized changes to the        data contain adequate    based permissions established through\nManagement             spreadsheets (i.e., key cells and spreadsheets used to provisions for           Active Directory accounts to control\nSystems                calculate Earned Value Management (EVM)) have          controlling access and   the ability to access and change EVM\n(EVMS) Data            not been identified.                                   changes to the EVM       data within the Oracle Primavera\nShould Be         B.   Office of the Secretary of Transportation (OST) has    data. In addition,       Portfolio Management (OPPM) tool. In\nStrengthened           not promoted nor provided standards for estimating     adequate controls        addition, DOT released DOT Order\n                       project requirements for information technology (IT) should be included         1351.22.1, Earned Value Management,\n                       projects. This includes considerations for:            over the analysis and    dated July 15, 2010, and updated the\n                       \xe2\x80\xa2     Estimating resource requirements for project     monitoring processes     DOT EVM Implementation Guide,\n                             work elements                                    in order to verify the   dated September 29, 2010 to address\n                       \xe2\x80\xa2     Assigning management resource/using an           accuracy and             policy and implementation procedures\n                             Organizational Breakdown Structure (OBS) and completeness of the          for the analysis and monitoring process\n                             Responsibility Assignment Matrices (RAM) for EVM data. These              of verifying the completeness and\n                             control accounts and work elements               provisions should be     accuracy of EVM data. The DOT EVM\n                       \xe2\x80\xa2     Estimating project activity duration and         contained in related     Implementation Guide addresses the\n                             sequencing                                       EVM policy and           related policy and implementation\n                       \xe2\x80\xa2     Establishing EVM credit techniques, EVM          implementation           procedures required in corresponding\n                             performance analysis and reporting               procedures and in        SOWs with contractors.\n                             requirements including specific requirements     corresponding\n                             for EVMS certification and surveillance          Statement of Work        B. Standards for estimating project\n                             procedure.                                       (SOW) with               requirements were included in the\n                                                                              contractors.             DOT EVM Implementation Guide,\n                                                                                                       dated September 29, 2010.\n                                                                              B. Consider\n                                                                              incorporating the\n                                                                              standards for\n                                                                              estimating project\n                                                                              requirements as\n                                                                              described in the\n                                                                              observations and\n                                                                              incorporate in the to-\n                                                                              be released EVM\n                                                                              Implementation\n                                                                              Guide.\n\n\n\n\n                                                                                                                                     Page 31\n\x0cStatus of Prior-Year Findings                                                                                                       Appendix I\n\n  Finding #                         Prior-Year Condition                          Recommendation                           Status\n2008-2:            During our review of the security cost reporting practices     A, B. Consider           Not Implemented/ Open\nControls Over      performed at the DOT, we identified the following              incorporating the        A, B. The prior year finding has not\nthe                exceptions:                                                    standards for security   been closed as a standard security cost\nReasonableness                                                                    budgeting as described   estimation process does not exist, and\nof Security Cost   A.   There are no DOT specific policies or procedures for      in the observations,     has not been developed nor\nEstimates and           estimating, tracking and reporting security costs. This   promulgate and           promulgated by OST. While a small\nReporting               includes:                                                 monitor the use of the   number of proprietary tools are used by\nShould Be               a.    Provisions for distributing resources based on      standards across OAs.    individual OAs (i.e., National Highway\nStrengthened                  assessed risks                                                               Traffic Safety Administration\n                        b.    Provisions for using risk analysis, earned value                             (NHTSA) uses iREx to calculate its\n                              and return on investment to determine which                                  security costs), a standard policy or\n                              security controls should be funded and                                       tool suite has not been implemented\n                              implemented                                                                  across DOT. OST acknowledged this\n                        c.    Provisions for linking information security                                  and stated that security cost estimation\n                              expenditures to the strategy and mission of the                              procedures are in the process of being\n                              program                                                                      finalized, and noted that a March 30,\n                        d.    Provisions for linking the security costs to                                 2014 deadline is in place to \xe2\x80\x9cDevelop\n                              OMB A\xe2\x80\x9011 categories                                                          and/or revise the Department\xe2\x80\x99s EA\n                        e.    Provisions for developing a performance plan                                 procedures to address the following:\n                              that addresses security resources including                                  creation of a standardized methodology\n                              budget, staffing and training                                                that provides reliable estimates of\n                   B.   Security estimates for the IT Combined Infrastructure                              security funding needed for system\n                        are self\xe2\x80\x90reported by the Operating Administrations                                 investments.\xe2\x80\x9d OST Management stated\n                        (OAs) and do not follow any consistent, predictable                                that they anticipate meeting this target\n                        methodology from which future projections can be                                   delivery date.\n                        based by OST. In addition, there is no accountability\n                        over the reasonableness of the estimates provided by\n                        the OAs. Lastly, the estimates for the common IT\n                        services also do not follow a consistent methodology\n                        that provides a reasonable estimate of the future\n                        security costs based on the services rendered as the\n                        subordinate investments are migrated to the common\n                        operating environment.\n\n\n\n\n                                                                                                                                          Page 32\n\x0cStatus of Prior-Year Findings                                                                                               Appendix I\n\n  Finding #                     Prior-Year Condition                        Recommendation                         Status\n2008-3:          During our review of the implementation and completeness A. Evaluate, complete     Partially Implemented/Open\nControls Over    of EVMS practices performed at the DOT we identified the and promulgate the\nthe              following exceptions:                                     EVM policy and           A. The DOT EVM Implementation\nImplementation                                                             Implementation           Guide, was revised from April 27,\nand Use of       A. The DOT EVM policy:                                    Guide.                   2009 to September 29, 2010. This\nEVMS In               a.    The EVM Implementation Guidance referenced                              guide has been published and is\nProject                     throughout the DOT EVM policy has not yet      B. Evaluate the          utilized by OAs for guidance\nOversight                   been created nor promulgated;                  cost/benefits of         pertaining to the application of EVM\nShould Be             b.    Does not accurately recognize Federal Aviation leveraging an            requirements. Implemented.\nStrengthened                Administration (FAA) applicability even        enterprise technology\n                            through FAA\xe2\x80\x99s requirements for implementing for managing projects       B. A standard framework for managing\n                            and using EVM are more stringent and are       and calculating EVM      and apply EVM data across OAs\n                            accompanied by EVM implementation              project level data.      portfolios has been implemented\n                            guidance; and                                                           through OPPM. However, tools and\n                      c.    Does not contain provisions for Training,      C. Consider              technology utilized to document, track,\n                            Integration with Portfolio Management, the use incorporating the        evaluate, and report project-level EVM\n                            of templates and tools.                        standards for applying   data is not standardized. Partially\n                 B. There is no consistent enterprise approach to          EVM in project           Implemented.\n                      managing and applying EVM data across OAs.           requirements as\n                 C. OST has not promoted nor provided standards for        described in the         C. Rebaselining and documentation\n                      applying EVM in IT projects. This includes           observations and         retention requirements have not been\n                      considerations for:                                  incorporate in the to-   identified within the DOT EVM\n                      a.    Articulating and capturing project scope and   be released EVM          Implementation Guide. Additionally,\n                            work assignments through integrated baseline   Implementation           there is no formalized DOT training\n                            reviews                                        Guide.                   program pertaining to EVMS.\n                      b.    Decomposing work using a standard work                                  Partially Implemented.\n                            breakdown structures (WBS) for IT              D. Consider\n                            development projects (e.g., following a        incorporating the        D. The DOT EVM Implementation\n                            standardized software development lifecycle or standards for            Guide, was revised from April 27,\n                            SDLC)                                          implementing and         2009 to September 29, 2010. This\n                      c.    Managing concurrent efforts through an         using EVM as             guide has been published and is\n                            Integrated Master Schedule (IMS)               described in the         utilized by OAs for for determining the\n                      d.    EVM rebaselining guidelines and                observations and         application of EVM requirements.\n                            documentation retention requirements           incorporate in the to-   FAA Requirements are documented in\n                      e.    Conducting EVM training and lessons learned    be released EVM          the FAA Acquisition Management\n                 D. There are inconsistent EVMS practices being            Implementation           System (AMS) Policy. While both the\n                      followed across OAs and investments. Specifically,   Guide.                   DOT EVM Implementation Guide and\n                      a.    Standard contract language for EVMS is not                              FAA AMS Policy address the\n                            being used for Pipeline and Hazardous                                   requirements for the certification and\n                            Materials Safety Administration (PHMSA) and                             surveillance of contractor EVMS and\n                            NHTSA OAs and the Automated Surface                                     performance of Integrated Baseline\n                            Observing Systems/Automated Weather                                     Reviews (IBRs), we noted that\n                            Observing System (ASOS/AWOS), Advanced                                  certification and IBR activities had\n                            Technologies and Oceanic Procedures (ATOP),                             been inconsistently performed over\n                            Safety Monitoring and Analysis Reporting Tool                           contractor EVMS and major\n                            (SMART) and Federal Motor Carrier Safety                                investments. Partially Implemented.\n                            Administration (FMCSA) Modernization\n                            investments.\n                      b.    Certain OAs and investments have not\n                            performed EVMS certification over their\n                            EVMS operated by contractors. Specifically the\n                            OST, NHTSA, FMCSA, and PHMSA OAs and\n                            the Terminal Automation Modernization and\n                            Replacement (TAMR), ASOS/AWOS, SMART\n                            and FMCSA Modernization investments.\n                      c.    Inconsistent contractor surveillance of EVMS\n                            practices for OST, NHTSA, FMCSA, PHMSA\n                            OAs and ATOP, Automated Traffic\n                            Management/Traffic Flow Management\n                            (ATM/TFM), SMART and FMCSA\n                            Modernization investments.\n                      d.    Standard WBS for development activities are\n                            not consistently used by PHMSA or the\n                            SMART investment.\n                      e.    EVMS reporting frequency performed quarterly\n                            for NHTSA.\n\n\n\n\n                                                                                                                                  Page 33\n\x0cGlossary of Terms                                                                Appendix II\n\nAPPENDIX II \xe2\x80\x93 GLOSSARY OF TERMS\n     Acronym                                           Definition\nACIO                Associate Chief Information Office\nADS-B               Automatic Dependent Surveillance-Broadcast\nAIS                 Aviation Information System\nAIT                 Office of Information Technology Value Management Office\nAMS                 Acquisition Management System\nANSI                American National Standards Institute\nAO                  Authorizing Officials\nASOS/AWOS           Automated Surface Observing Systems/Automated Weather Observing System\nATM/TFM             Automated Traffic Management/Traffic Flow Management\nATOP                Advanced Technologies and Oceanic Procedures\nC&A                 Certification and Accreditation\nCDAN                Crash Data Acquisition Network\nCIO                 Chief Information Officer\nCLIN                Contract Line Item Number\nCOTR                Contracting Officer's Technical Representative\nCPI                 Cost Performance Index\nCPIC                Capital Planning and Investment Control\nCSAM                Cyber Security Assessment and Management\nCV                  Cost variance\nDME                 Development Modernization Enhancement\nDOT                 Department of Transportation\nDOT COE             Department of Transportation Consolidated Operating Environment\nDR                  Disaster Recovery\nEA                  Enterprise Architecture\nE-Gov               Electronic Government\nEIA                 Electronic Industries Alliance\nEVM                 Earned Value Management\nEVMIG               Earned Value Management Implementation Guide\nEVMS                Earned Value Management System\nFAA                 Federal Aviation Administration\nFEA SPP             Federal Enterprise Architecture Security and Privacy Profile\nFHWA                Federal Highway Administration\nFID                 Final Investment Decision\nFIPS                Federal Information Processing Standards\nFISMA               Federal Information Security Management Act of 2002\nFMCSA               Federal Motor Carrier Safety Administration\nFRA                 Federal Railroad Administration\nFTA                 Federal Transit Administration\n\n\n\n                                                                                      Page 34\n\x0cGlossary of Terms                                                                   Appendix II\n\n     Acronym                                            Definition\nFTE                 Full-time Equivalent\nFY                  Fiscal Year\nGAGAS               Generally Accepted Government Auditing Standards\nGAO                 Government Accountability Office\nIBR                 Integrated Baseline Review\nIDA                 Investment Decision Authority\nIRB                 Investment Review Board\nISSM                Information Systems Security Manager\nISSO                Information Systems Security Officer\nIT                  Information Technology\nJRC                 Joint Resources Council\nKPMG                KPMG LLP\nMAPS                Management Activity Planning System\nMARAD               Maritime Administration\nMITI                Major IT Investment\nMS                  Microsoft\nNDIA                National Defense Industrial Association\nNEXCOM              Next Generation Air/Ground Communications\nNHTSA               National Highway Traffic Safety Administration\nNIST                National Institute of Standards and Technology\nNPIX                National Pipeline Information Exchange\nNTD                 National Transit Database\nOA                  Operating Administration\nOBS                 Organizational Breakdown Structure\nOCIO                Office of the Chief Information Officer\nOIG                 Office of Inspector General\nOMB                 Office of Management and Budget\nOPPM                Oracle Primavera Portfolio Management\nOST                 Office of the Secretary of Transportation\nPBC                 Provided by Client\nPHMSA               Pipeline and Hazardous Materials Safety Administration\nPIV                 Personal Identity Verification\nPM                  Project Manager\nPMA                 President's Management Agenda\nPMB                 Performance Measurement Baseline\nPOA&M               Plan of Action and Milestones\nPRM                 Performance Reference Model\nRCISS               Regulation and Certification Infrastructure for System Safety\nRITA                Research and Innovative Technology Administration\nSA&A                Security Assessment and Authorization\n\n\n                                                                                        Page 35\n\x0cGlossary of Terms                                                       Appendix II\n\n     Acronym                                         Definition\nSIEM                Security Information and Event Management\nSIM                 Security Information Management\nSLSDC               Saint Lawrence Seaway Development Corporation\nSMART               Safety Monitoring and Analysis Reporting Tool\nSO                  System Owner\nSOW                 Statement of Work\nSPI                 Schedule Performance Index\nSTB                 Surface Transportation Board\nSV                  Schedule Variance\nTAMR                Terminal Automation Modernization and Replacement\nWBS                 Work Breakdown Structure\n\n\n\n\n                                                                            Page 36\n\x0c"